What does CCPA mean for your business?

CCPA has shaken some businesses lately as these new regulations look to better regulate privacy for consumers. But, where do you even begin to ensure your business is taking the necessary action?

Well, for starters, you can stop reading if your business does not meet one of the below requirements (at least for now):

• Generates over $25M in annual revenue in the USA, while operating in California to any extent
• Collects over 50,000 emails & operates as a business in California to any extent
• Makes over half of their revenue in selling data

What is CCPA?

Still with me? Great!

In 2018 the CCPA, short for the California Consumer Privacy Act, was passed by the California State Legislature in just about a week. Although the bill went into effect January 1st, 2020, it is still not fully clear on what this legislation will mean for compliance and regulation. In fact, the bill is still being tweaked as we speak and it will not be enforced until July 1st.

The purpose of the bill

CCPA was enacted to give transparency and power back to the consumer, similar to GDPR. This comes by mandating companies allow the user to access & understand what personal data is being collected by a given website and tell them where that data is being sold and to whom.

The law also allows the user to opt out of data collection, delete what data has already been collected up to that day, and assure they are not being discriminated against or taken advantage of by a site’s privacy rights.

We spoke with a leading IP law firm and Dan Kagan, Associate at Murtha Cullina LLP, on what CCPA means to businesses in the immediate and also what this means for other states potentially following suit:

“As the United States does not have federal privacy laws beyond specific business sections (e.g. HIPAA for health care, GLBA for financial services), California is the first State to enact privacy legislation of this depth and magnitude. However, we expect other states to soon follow suit, using California as a blueprint. For example, Illinois, Virginia and Washington currently have legislation pending to expand consumer’s privacy rights. It may take some time to get a better understanding of enforcement actions; however, we would expect, as with GDPR, that early enforcement actions would focus on larger companies involved in the sale of personal information, rather than smaller entities”“As the United States does not have federal privacy laws beyond specific business sections (e.g. HIPAA for health care, GLBA for financial services), California is the first State to enact privacy legislation of this depth and magnitude. However, we expect other states to soon follow suit, using California as a blueprint. For example, Illinois, Virginia and Washington currently have legislation pending to expand consumer’s privacy rights. It may take some time to get a better understanding of enforcement actions; however, we would expect, as with GDPR, that early enforcement actions would focus on larger companies involved in the sale of personal information, rather than smaller entities”

How can you assure that you are compliant as a business?

As it is currently defined, companies, and organizations must “implement and maintain reasonable security procedures and practices" to comply with CCPA. As this is rather broad, there have been some specific actions that will be required but additional regulations are still possible after the initial compliance can be documented & observed. To make sure your business is compliant, your website must include or adhere to the following:

• Homepages of sites must provide a visible link where users can remove themselves from having their information sold
• For users under 13, you must obtain parental or guardian consent to collect data on them
• For users between the ages of 13-16, users must consent to data being collected on them with an opt-in clause in the same vein as GDPR compliance
• Provide the ability to allow users to request access to their data, whether that be online or a customer service phone number
• When a California resident opts out, you must avoid requesting opt-in consent for the following 365 days
• Privacy policies must be updated to account for California residents rights based on the CCPA

In many instances, most site users won’t be within the CCPA regulation pool needed to opt-in to having their data collected, but unfortunately because certain users will, it makes it very difficult to only serve these prompts up to those it applies to (i.e. those outside of California and those above the age of 16).

This likely means that you will have to include all of the compliance requirements for all users that visit, unless you have the ability to confidently IP target with extreme accuracy, which is, needless to say, a bit of a risk to take.

What happens if you don’t comply with CCPA?

We recommend playing it on the safe side and making sure all bases are covered until there’s a better understanding of the full ramifications of these sanctions, which may take 6-18 months to fully grasp the magnitude of.

As of now, it sounds like they range from civil class action lawsuits, if there is a data breach, to fines for noncompliance ($2,500 for unintentional violations & $7,500 per intentional violation).

Work with your legal and compliance teams to understand what key assets and touch points you need to update across your digital channels. Not sure where to start? We’re happy to help!